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Abstract 

This paper shows how 3 well-known sorting algorithms can be derived by similar sequences of 
transformation steps from a common specification. Each derivation uses an auxiliary algorithm 
based on insertion into an intermediate structure. The proofs given involve both inductive and 
coinductive reasoning, which are here expressed in the same program calculation framework, 
based on unicity properties. 
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Abstract. This paper proposes new derivations ol three well-known sorting algorithms, in their 
functional formulation. The approach we use is based on three main ingredients: first, the al- 
gorithms are derived from a simpler algorithm, i.e. the specification is already a solution to 
the problem (in this sense our derivations are program transformations). Secondly, a mixture 
of inductive and coinductive arguments are used in a uniform, algebraic style in our reasoning. 
Finally, the approach uses structural invariants so as to strengthen the equational reasoning with 
logical arguments that cannot be captured in the algebraic framework. 

1 Introduction 

This paper presents new derivations of three well-known sorting algorithms, in the functional 
setting. Our approach can be summarized as follows: 

1. It is based on program transformation in the sense that we depart from a specification that 
is already a (not very efficient) algorithm for solving the problem. Traditional derivations 
of sorting algorithms (building on the work of Burstall and Darlington) formalize the "is 
sorted" property on lists. Instead, we take the insertion sort algorithm to be a specification 
of sorting, and derive, by sequences of correct steps, more efficient algorithms from it. 

2. The algorithms that we derive follow the derive and conquer strategy and as such are 
not structurally recursive on their arguments. For this reason a combination of inductive 
and coinductive reasoning must be used. We adhere here to the equational style of rea- 
soning usually known to functional programmers as program calculation, which relies on 
uniqueness properties of certain recursion patterns. Although the proofs are independent 
of this choice, we find that this allows for greater uniformity between the inductive and 
coinductive arguments. 

3. In two of our three derivations, the equational reasoning must be strengthened by using 
invariants on certain intermediate data-structures, since some of the equalities one needs to 
prove are not universal for a given data-type. For instance, it is not true that the in-order 
traversal of any binary tree produces a sorted list. This is however true for trees produced 
in a certain way. As far as we know there is very little work on program calculation 
strengthened with invariants. 

4. The algorithms are derived as hylomorphisms, i.e. as explicit compositions of a recur- 
sive function with a co-recursive one, with an intermediate data-structure of a tree type, 
which can be deforested to produce the standard formulation of the algorithms. Sorting 
algorithms have been defined as hylomorphims elsewhere pQ. 

The paper is structured as follows: Section [2] reviews standard material on sorting in the 
functional setting, including the algorithms that will be considered in the main sections of 



the paper. Section [3] contains background material on program calculation, based on unicity 
(or universal) properties of recursion pattern operators. Section 0] then introduces two generic 
algorithms for sorting, based on insertion into an intermediate structure of a container type 
(in a leftwards and rightwards fashion respectively). Sections [6l and [7] present the deriva- 
tions of merge sort, quicksort, and heapsort, which are based on instantiations of the generic 
algorithms. Finally we conclude the paper in Section El 

2 Sorting Homomorphisms and Divide-and-conquer Algorithms 

Consider a very simple algorithm for sorting a list, usually known under the name of insertion 
sort. We give it here written in Haskell. 

isort [] = [] 

isort (x:xs) = insert x (isort xs) 

where insert inserts an element in a sorted list. This is certainly a natural way of sorting a 
list in a traditional functional language: since the list structurally consists of a head element x 
and a tail sublist xs, it is natural to recursively sort xs and then combine this sorted list with 
x. This pattern of recursion can be captured by the foldr operator, resulting in the following 
definition where explicit recursion has been removed. 

isort = foldr insert [] 

Actually, any sorting function is a list homomorphism [3 6j, which means that if the initial 
unsorted list is split at any point and the two resulting sublists are recursively sorted, there 
exists a binary operator that can combine the two results to give the final sorted list. 



This operator is of course the (linear time) function of type [a] — > [a] — > [a] that merges 
two sorted lists: 

merge [] 1 = 1 
merge 1 [] = 1 
merge (hl:tl) (h2:t2) 

I (hl<=h2) = hi: (merge tl (h2:t2)) 

I otherwise = h2: (merge (hl:tl) t2) 

The operator is associative with the empty list as unit, forming a monoid over lists. It is 
also commutative, insert can be defined in terms of as follows 



Insertion sort runs in quadratic time. Most well-know efficient sorting algorithms perform 
recursion twice, on subsequences obtained from the input sequence, and then combine the 
results (for this reason they are called divide-and-conquer algorithms). As such, they do not 
fit the simple iteration pattern captured by foldr. In the following we describe three different 
divide-and-conquer algorithms. 



isort (h-^+h) = (isort h) (isort l 2 ) 



insert x I = [x] I 




Heapsort. The principle behind heapsort is to traverse the list to obtain, in linear time, its 
minimum element y and a pair of lists of approximately equal size, containing the remaining 
elements (function haux). The lists are then recursively sorted and merged together, and y 
pasted at the head of the resulting list. 

haux x [] = (x, [],[]) 

haux x (y:ys) = let (z,l,r) = haux y ys 

in if x<z then (x,z:r,l) else (z,x:r,l) 



hsort [] = [] 

hsort (s:xs) = let (y,l,r) = haux x xs 

in y: (merge (hsort 1) (hsort r)) 



Quicksort. The criterion for obtaining the two sublists is here to use the head of the list (the 
only element accessible in constant time) as a pivot used to separate the remaining elements. 
The two sorted results need only be concatenated (with the pivot in the middle) to give the 
final result. 

qaux _ [] =(□,□) 

qaux x (h:t) = let (l,r) = qaux x t 

in if h<=x then (h:l,r) else (l,h:r) 

qsort [] = [] 

qsort (x:xs) = let (l,r) = qaux x xs 

in (qsort 1) ++ x: (qsort r) 



Merge Sort. This is similar to heapsort except that the minimum element is not extracted 
when the list is traversed. For this reason an extra base case is used. 

maux [] =(□,□) 

maux (x:xs) = (x:b,a) where (a,b) = maux xs 



msort [] = [] 
msort [x] = [x] 

msort xs = let (l,r) = maux xs 

in merge (msort 1) (msort r) 



These functional versions of the algorithms may be difficult to recognize for a reader used 
to the imperative formulations, where the sorting is usually done in place, on indexed arrays. 
All three are however widely known in the functional programming community formulated as 
above. 

3 Recursion Patterns, Unicity, and Hylomorphisms 

We direct the reader to [7] for an extensive introduction to the field of program calculation, 
and include here only the basic notions needed for expressing the proofs included in the paper. 



data BTree a = Empty | Node a (BTree a) (BTree a) 
type Heap = BTree 

data LTree a = Leaf (Maybe a) | Branch (LTree a) (LTree a) 



unfoldBTree :: (b -> (Either (a,b,b) ())) -> b -> BTree a 
unfoldBTree g x = case (g x) of 

Right () -> Empty 

Left (y,l,r) -> Node y (unfoldBTree g 1) (unfoldBTree g r) 

f oldBTree : : (a -> b -> b -> b) -> b -> BTree a -> b 
foldBTree f e Empty = e 

foldBTree f e (Node x 1 r) = f x (foldBTree f e 1) (foldBTree f e r) 



unfoldLTree :: (b -> (Either (b,b) (Maybe a))) -> b -> LTree a 
unfoldLTree g x = case (g x) of 
Right y -> Leaf y 

Left (l,r) -> Branch (unfoldLTree g 1) (unfoldLTree g r) 

foldLTree :: (b->b->b) -> ((Maybe a)->b) -> LTree a -> b 
foldLTree f e (Leaf x) = e x 

foldLTree f e (Branch 1 r) = f (foldLTree f e 1) (foldLTree f e r) 

Table 1. Types and recursion patterns for binary trees 



The fold recursion pattern can be generalized for any regular type; in the context of 
the algebraic theory of data-types folds are datatype-generic (in the sense that they are 
parameterized by the base functor of the type), and usually called catamorphisms. The result 
of a fold on a node of some tree data-type is a combination of the results of recursively 
processing each subtree (and the contents of the node, if not empty). 

The dual notion is the unfold (also called anamorphism): a function that constructs (pos- 
sibly infinite) trees in the most natural way, in the sense that the subtrees of a node are 
recursively constructed by unfolding. 

In the present paper we will need to work with two flavours of binary trees: leaf-labelled 
(for merge sort) and node-labelled trees (for the remaining algorithms). These types, and the 
corresponding recursion patterns, are defined in Table [TJ 

In principle, a fold is a recursive function whose domain is a type defined as a least 
fixpoint (an initial algebra), and an unfold is a recursive function whose codomain is defined 
as a greatest fixpoint (a final coalgebra). However, in lazy languages such as Haskell, least 
and greatest fixpoints coincide, and are simply called recursive types. 

At an abstract level, folds (as well as other structured forms of recursion, such as primitive 
recursion) enjoy an initiality property among the algebras of the base functor of the domain 
type. In concrete terms, this makes possible the use of induction as a proof technique. Dually, 



unfolds are final coalgebras; techniques for reasoning about unfolds include fixpoint induction 
and coinduction [5]. 



Unicity. The program calculation approach is based on the use of initiality and finality directly 
as an equational proof principle. Both properties can be formulated in the same framework, 
as universal or unicity properties. In this paper we generally adhere to the equational style 
for proofs, but often resort to induction for the sake of simplicity (in particular when none of 
the sides of the equality one wants to prove is directly expressed using a recursion pattern, 
applying a unicity property may require substantial manipulation of the expressions) . See [1] 
for a study of program calculation carried out purely by using fusion, including an adequate 
treatment of strictness conditions. 

We give below the unicity properties that we shall require in the rest of the paper, for 
the foldr, unfold LTree, and unfoldBTree operators. A weaker fusion law for foldr is also shown, 
which is easily derived from unicity. 

/ = foldr g e , c , , c . , . . 

( . ■ , r> -1 n ~i h o foldr g e = foldr g' e' 

{umcity-foldr} , . * . , 

j, , , _ ^ 1 {foldr- fusion} 

for all x, xs, 



f (x : xs) = g x (/ xs) 



h o (g x) = (</ x) oh 



f = unfold LTree g f = unfoldBTree g 

-£4> {unicity-unfoldLTree} 44> {unicity-unfoldBTree} 

for all x, for all x, 

f x = case (g x) of / x = case (g x) of 

Right y — > Leaf y Right () — > Empty 

Left (/, r) - Branch (/ I) (/ r) Left (y, I, r) - Node y (/ I) (/ r) 

Hylomorphisms. The composition of a fold over a regular type T with an unfold of that 
type is a recursive function whose recursion tree is shaped in the same way as T. Such a 
definition can be deforested [ID], i.e. the construction of the intermediate data-structures 
can be eliminated, yielding a direct recursive definition. As an example, the definition h = 
(fold LTree / e) o (unfold LTree g) can be deforested to give: 

h x = case (g x) of 

Right y -> e y 

Left (l,r) -> f (h 1) (h r) 



This corresponds to a new generic recursion pattern, called a hylomorphism. Hylomor- 
phisms do not possess a unicity property, but they are still useful for reasoning about pro- 
grams, using the properties of their fold and unfold components. In particular, hylomorphisms 
are useful for capturing the structure of functions that are not directly defined by structured 
recursion or co-recursion, as is the case of the divide-and-conquer sorting algorithms: the 
unfold component takes the unsorted list and constructs a tree; the fold iterates over this 
structure to produce the sorted list. The sorting algorithms introduced in the previous sec- 
tion were studied as hylomorhpisms in [lj. In the present paper we use this hylomorphic 
structure to calculate these algorithms from a common specification. 



4 Sorting by Insertion 



In the rest of the paper we will repeatedly apply the following principles. Consider a type 
constructor C and the following functions: 

istC : a — > C a — > C a 
C2list : C a -► [a] 

The idea is that C o is a container type for elements of type a (typically a tree-shaped type); 
istC inserts an element in a container to give a new container; and C2list converts a container 
into a sorted list of type a. 

A generic sorting algorithm can then be defined, with a container acting as intermediate 
data-structure. The idea is that elements are inserted one by one by folding over the list; a 
sorted list is then obtained using C2I ist. e :: C a is an appropriate "empty value". 

isortC = C2list o (foldr istC e) (2) 

It is easy to see that the algorithm is correct if the intermediate data-structure contains 
exactly the same elements as the initial list, and C2list somehow produces a sorted list from 
the elements in the intermediate structure. This can be formalized by constructing a proof of 
equivalence to insertion sort, which gives necessary conditions for the algorithm to be correct. 

C2list o (foldr istC s) = foldr insert [ ] 
44> {unicity-foldr} 

f C2list (foldr istC e [ ]) = [ ] 

1 C2list (foldr istC e (x : xs)) = insert x (C2list (foldr istC e xs)) 
44> {def. foldr} 
f C2list e = [ ] 

| C2list (istC x (foldr istC e xs)) = insert x (C2list (foldr istC e xs)) 
Alternatively one can use fusion, which leads to stronger conditions: 

C2list o (foldr istC e) = foldr insert [ ] 
■<= {foldr fusion} 
f C2list e=[] 

\ C2list o (istC x) = (insert x) o C2list 

Thus for each concrete container type it is sufficient to prove equation [3] and one of[Hor[5] 
to establish that the corresponding function isortC is indeed a sorting algorithm: 

C2list e = [] (3) 
C2list o (istC x) = (insert x) o C2list (4) 
C2list (istC x (foldr istC e xs)) = insert x (C2list (foldr istC e xs)) (5) 

Note that together, equations and H] mean that C2list is a homomorphism between the 
structures (C a, istC,e) and ([a], insert, [ ]). 

Observe that the above algorithm constructs the intermediate structure by inserting the 
elements from right to left. A tail-recursive version of isortC can be derived by a standard 
transformation based on fusion [2]. This will construct the intermediate structure in a right- 
wards fashion. We start by writing a specification for this function isortQ. 



isortLT = LT2list o buildLT 
buildLT = foldr istLT (Leaf Nothing) 



LT2list = foldLTree (0) t 

where t Nothing = [ 
t (Just x) = \x\ 

istLT x (Leaf Nothing) = Leaf (Just x) 

istLT x (Leaf(Just y)) = Branch (Leaf (Just a;)) (Leaf(Just y)) 
istLT x (Branch / r) = Branch (istLT x r) I 

Table 2. Sorting by insertion in a leaf tree 



isortQ : [a] — » C a — > [a] 
isortQ I y = (isort I) (C2list y) 

The tail-recursive function uses an extra accumulator argument of the chosen container type. 
In the call isortQ I y, I is the list that remains to be sorted, and the accumulator y contains 
elements already inserted in the container. The right-hand side of the equality states how the 
final result can be obtained using insertion sort and the conversion of y to a list. 

The following definition satisfies the specification (proof is given in Appendix lA.lj) . 

isortQ = foldr istC C2list 

where istC x f y = f (istC x y) 

Then isortQ I e = iSort I holds as an immediate consequence of the specification and eq. ([3]) 
above. An alternative version of this can be defined, which separates the tail-recursive con- 
struction of the intermediate structure from its conversion to a sorted list (note ape / = / e) : 

isortQ = C2list o (ape) o (foldr istC' id) (6) 

It is straightforward to establish that isortQ I = iSortQ I e, thus isortQ = iSort. 

In the next sections, the container type and its empty value, together with the functions 
istC and C2list, will be instantiated to produce three different insertion-based algorithms, 
using schemes [2] and [6l 

Each algorithm will be proved correct by calculating eqs. [3l and U] or [5] above. The next 
step will be to transform each algorithm into a hylomorphism that can then be deforested, 
resulting in a well-known sorting algorithm. For this, it will suffice to transform the function 
that constructs the intermediate tree into co-recursive form. 

5 A Derivation of Merge Sort 

Our first concrete sorting algorithm based on insertion into an intermediate structure uses 
leaf-labelled binary trees. This is given in Table El We remark that to cover the case of the 
empty list, a Maybe type is used in the leaves of the trees. 

Proposition 1. isortLT is a sorting algorithm. 



Proof. We instantiate eqs. ([3]) and ([!]). Note that the empty value here is e = Leaf Nothing. 



LT2list (Leaf Nothing) = [ ] 

LT2list o (istLT x) = (insert x) o LT2list 

The first equality if true by definition; the second can be proved by induction, or alter- 
natively using fusion. The latter proof is given in Appendix IA.21 Together these equations 
establish that LT2list is a homomorphism between the structures (LTree a, istLT, Leaf Nothing) 
and ([a], insert, [ ]). 

It is also easy to see that the intermediate tree is balanced: the difference between the 
heights of the subtrees of a node is never greater than one, since subtrees are swapped at each 
insertion step. Note that the insertion function istLT was carefully designed with efficiency in 
mind, which grants execution in time O(NlgN); other solutions would still lead to sorting 
algorithms, albeit less efficient. 

Proposition 2. The trees constructed by buildLT are balanced. 

Proof. It can be proved by induction on the structure of the argument list that either the 
subtrees of the constructed tree have the same height, or the height of the left subtree is 
greater than the height of the right subtree by one unit. The function istLT preserves this 
invariant. 

The next transformation step applies to the function that constructs the intermediate tree. 
An alternative way of constructing a balanced tree is by unfolding: the initial list is traversed 
and its elements placed alternately in two subsequences, which are then used as arguments to 
recursively construct the subtrees. Note that the sequences will have approximately the same 
length. For singular and empty lists, leaves are returned. 

unfoldmsort = unfoldLTree g 

whereg [ ] = Right Nothing 
g [x] = Right (Just x) 
g xs = Left (maux xs) 
maux[] = ([],[]) 

maux (h : t) = (h : b,a) where (a, b) = maux t 

Proposition 3. The above function constructs the same intermediate trees as those obtained 
by folding over the argument list: 

foldr istLT (Leaf Nothing) = unfoldmsort 

Proof. We use the unicity property of leaf-tree unfolds: 



isortH = H2list o buildH 
buildH = foldr istH Empty 

H2list = foldr aux [] 

where aux x I r — x : (I r) 

istH x Empty = Node x Empty Empty 

istH x (Node y I r) \ x < y = Node x (istH y r) I 

otherwise = Node y (istBST x r) I 

Table 3. Sorting by insertion in a heap 



foldr istLT (Leaf Nothing) = unfoldLTree g 

<S4> {unicity-unfoldLTree} 
for all x, 

(foldr istLT (Leaf Nothing)) x = case (g x) of 
Right y — » Leaf y 
Left (Z,r) Branch (f I) (f r) 

{by cases} 

Leaf Nothing = Leaf Nothing if x = [ } 

Leaf(Just h) = Leaf(Just h) if x = [h] 

istLT hi (foldr istLT (Leaf Nothing) (h 2 : t)) 
= Branch (foldr istLT (Leaf Nothing) /) 

(foldr istLT (Leaf Nothing) r) if x = h\ : h 2 : t 
where (l,r) = maux (hi : hi : t) 

And the last equality can be easily proved by induction on the structure of t. 



Substituting this in the definition of isortLT yields a hylomorphism that is of course still 
equivalent to insertion sort. It is immediate to see that this can be deforested, and the result 
is merge sort: 

LT2list o unfoldmsort = msort 



6 A Derivation of Heapsort 

In the heapsort algorithm, one computes the minimum of the list prior to the recursive calls. 
This will determine that each node of the intermediate structure (the recursion tree) this 
minimum for some tree; it is thus a binary node-labelled tree. 

We repeat the program taken for the derivation of the merge sort: we design a function 
that inserts a single element in the intermediate tree (istH), iterate this function over the 
initial list (buildH) and then provide a function that recovers the ordered list from the tree 
(H2list). These functions are shown in Table O 

Proposition 4. isortH is a sorting algorithm. 

Proof. We instantiate eqs. ([3]) and ([5]). We set e = Empty, and thus eq. ([3|) results directly 
from the definition. For eq. ([5|), we need to prove that for every list I, 



insert x (H2list (buildH I)) = H2list (istH x (buildH /)). 



In order to prove this, we rely on the fact that trees generated by buildH are always heaps, 
i.e. the root element is the least of the tree. The complete derivation is presented in appendix 
E (Propositions E and QJ . 

Note that in order to prove the correctness of this algorithm, we cannot rely on the 
strongest hypothesis given by eq. 0] (obtained from the use of the fusion law) as we have done 
for merge sort. The reason for this is that, for an arbitrary tree t, 

insert x (H2list t) ^ H2list (istH x t). 

On the other hand, the weaker requisite given by eq. [5] (obtained by the use of unicity or 
induction) retains the information that we restrict our attention to trees constructed by 
buildBST, and these will satisfy the required equality. 

We also note that the intermediate tree is again balanced (essentially by the same argument 
used for merge sort). This means that this sorting algorithm also executes in time 0{N\gN). 

It remains to show that the intermediate tree can be constructed coinductively. For that, 
consider the following function: 



unfoldhsort = unfoldBTree g 

whereg [] = Right () 

g (x : xs) = Left (haux x xs) 

hauxx[] =( x , [},[]) 

haux x (y : ys) \ x < m = (x , m : b, a) 

| otherwise = (m, x : b,a) 

where (m,a,b) = haux y ys 



Proposition 5. The above function constructs the same intermediate trees as those obtained 
by folding over the argument list: 



buildH = unfoldhsort 



Proof. 

unfoldhsort = buildH 
-£4> {by unicity — unfoldBTree} 
buildH [] = Empty 

buildH (x : xs) = Node z (buildH a) (buildH b) 

where (z, a, b) = haux x xs 
•44- {definitions} 
Empty = Empty 

istH x (buildH xs) = Node z (buildH a) (buildH b) 

where (z, a, b) = haux x xs 

The second equality is proved by structural induction on xs. For the base case (xs = []), 
it follows directly from evaluating the definitions. For the inductive step (xs = y : ys), let us 
assume that (z, a, b) = (haux y ys). The definition of haux tell us that 



(z , a, b') = (haux x (y : ys)) 



(x, z : b,a) if x < z, 
(z, x : b,a) if x > z. 



isortBST = BST2list o buildBST 
buildBST = (ap Empty) o bAcc 

where ap x f = / x 

bAcc = foldr aux id 

aux x f a = / (istBST x a) 

BST2list = foldBTree aux [] 

where aux x I r — I +\-(x : r) 

istBST x (Empty) = Node x Empty Empty 

istBST x (Node y I r) \ x < y = Node y (istBST x I) r 

otherwise = Node y I (istBST x r) 

Table 4. Sorting by insertion in a binary search tree 



Thus, 

istH x (buildH (y : ys)) 
= {def. buildH} 

istH x (istH y (buildH ys)) 
= {induction hypotheses} 

istH x (Node z (buildH a) (buildH b)) 
= {def. istH} 

Node x (istH z (buildH b)) (buildH a) if x < z, 
Node z (istH x (buildH b)) (buildH a) if x > z. 
= {def. of z',a',b'} 

Node z' (buildH a') (buildH b') 

As would be expected, the hylomorphism obtained replacing buildH by unfoldhsort can be 
deforested, and the result is the original hsort. 

H 2 1 i st o unfoldhsort = hsort 
7 A Derivation of Quicksort 

In the quicksort algorithm, the activity performed prior to the recursive calls is different from 
that in heapsort: instead of finding the minimum of the list, the head of the list is used as a 
pivot for splitting the tail. Again, the intermediate structure is a node-labelled binary tree. 
But now, its ordering properties are different — the constructed trees will be binary search 
trees, and it suffices to traverse these trees in-order to produce the desired sorted list. 

Following the same line as in the derivation of the previous algorithms, we define an 
algorithm that iteratively inserts elements from a list into a binary tree and then reconstructs 
the list by the in-order traversal. This algorithm is given in Table [U 

Observe that this algorithm iterates on the initial list from left to right (we may think of 
it as using the Haskell foldl operator, but we write it as a higher-order function using foldr, to 
exploit the application of the rules presented earlier). This will become evident below when 
we replace this function by one that constructs the intermediate tree corecursively. For the 
correctness argument, we know that the order of traversal for the initial list is irrelevant (as 
shown in Section 



Proposition 6. isortBST is a sorting algorithm. 



Proof. We instantiate eqs. [3] and El We set e = Empty, and thus Equation [3] results directly 
from the definition. For Equation [5j we need to prove that for every list, 



insert x (BST2list (buildBST I)) = BST2list (istBST x (buildBST I)). 

In order to prove this, we rely on the fact that trees generated by buildBST are always binary 
search trees. The complete derivation is presented in appendix iBl (Propositions 1101 and l2|). 

To obtain the well-known quicksort algorithm, we need to replace the iterated insertion 
function buildBST by an unfold. 

unfoldqsort = unfold BTree g 

whereg [] = Right () 

g (x : xs) = Left (qaux x xs) 

qauxxf] = (x, [],[]) 

qaux x (y : ys) \ y < x = (x,y : b, a) 

| otherwise = (m, a,y : b) 

where (a, b) = qaux x ys 

Proposition 7. The above function constructs the same intermediate trees as those obtained 
by folding over the argument list: 



buildBST = unfoldqsort 



Proof. 

unfoldqsort = buildBST 

4$ {unicity-unfolBTree} 
buildBST [] = Empty 

buildBST (x : xs) = Node x (bAcc a Empty) (bAcc b Empty) 
where (a, b) = qaux x xs 
O {definitions} 

bAcc [] Empty = Empty 

bAcc (x : xs) Empty = Node x (bAcc a Empty) (bAcc b Empty) 
where (a, b) = qaux x xs 
O {simplification} 
Empty = Empty 

bAcc xs (Node x Empty Empty) = Node x (bAcc a Empty) (bAcc b Empty) 

where (a, b) = qaux x xs 

We prove the second equality in a slightly strengthened formulation. For every tree 
(Node x I r) and list xs, 

bAcc xs (Node x I r) = Node x (bAcc a I) (bAcc b r) 

where (a, b) = qaux x xs 



By induction on the structure of xs. For the base case (xs = []), it follows directly from 
evaluating the definitions. For the inductive step (xs = y : ys), we reason by cases. If x < y, 
then 

bAcc (y : ys) (Node x V r') = Node x (bAcc a' I') (bAcc b' r') 
where (a', b') = qaux x (y : ys) 
<3> {definition, x < y} 

bAcc ys (istBST y (Node x I' r') = Node x (bAcc a V) (bAcc (y : b) r') 
where (a, b) = qaux x ys 
<3> {definition, x < y} 

bAcc ys (Node x I' (istBST y r') = Node x (bAcc a I') (bAcc b (istBST y r')) 
where (a, b) = qaux x ys 
-£4> {induction hypoptheses} 

bAcc ys (Node x I' (istBST y r') = bAcc ys (Node x I' (istBST y r')) 
where (a, b) = qaux x ys 

Similarly for the case (x > y). This concludes the proof. 

We conclude with the statement that the hylomorphism obtained is, as intended, the 
forested version of the original quicksort algorithm. 

BST2list o unfoldqsort = qsort 

8 Conclusion 

This paper illustrates the strengths of the "program calculation" style of reasoning, in particu- 
lar the simplicity of using the unicity property of unfolds as an alternative to using coinductive 
principles based on bissimulations, and more generally the structural aspects of proofs. In- 
ductive proofs are however often much simpler to carry out than using the equational style, 
so we are not dogmatic about the style in which proofs are presented. 

Apart from the proofs of correctness which as far as we know are new, the contributions 
of this paper include (two versions of) a generic sorting algorithm, of which 3 concretizations 
are used. The role played by structural invariants in this study should also be emphasized. 

Even when they are not crucial to the calculations, invariants provide a much more natural 
setting for conducting them. Morevoer, efficiency properties of the algorithms, which we 
have left out of this study, can only be established using well-balancing invariants on the 
intermediate trees (these invariants can easily be proved by induction for both isortLT and 
isortH, which run in time O(NlgN)). 

Another application of invariants would come up in a generic programming setting: the 
C 2 1 i st functions would have a single definition for every tree type: the function would merge 
together the lists resulting from recursive calls with the (wrapped) contents of nodes and 
leaves. For each concrete intermediate type, the structural invariants would then allow us to 
refine the definition into the one given in this paper. 

This study opens the way to a richer interplay between invariants and recursion patterns 
- a topic that is not explored in this paper, but is being currently investigated by the authors. 

Finally, we have left completely out of the paper a study of stability of the sorting algo- 
rithms, an important property in the presence of data-types for which the order is not total. 
Some of the algorithms derived are stable and others are not, which means that under this 
premise, which invalidates commutativity of 0, they are not all equivalent. 
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A Proofs and Calculations 



A.l 

The function 



isortQ = foldr istC' C2list 

where istC x f y = f (istC x y) 



satisfies the specification 

isortQ : [a] — > C a — > [a] 
isortQ I y = (isort I) (C2list y) 

Proof. The specification can be rewritten as 

isortQ I y = (isort I) (By 



or 



isortQ = (©) o isort 



with the © operator defined as 



s © y = s (C2list y) 
This appeals to the use of the fusion law since isort is defined as a fold. 

isortQ = (©) o isort 

{definitions} 
foldr istC' C2list = (ffi) o (foldr insert [ ]) 
<= {foldr fusion, with © strict} 
(©)[] = C2list 

(©) o (insert x) = (istC x) o (ffi) 
<^ {ry-expansion} 
[]ffiy = C2listy 

(insert x I) © y = istC x ((©) I) y 
4^ {def. ©, properties of 0, def. istC'} 
C2list y = C2list y 
(insert x I) ffi y = I ffi (istC x y) 
O {eq.O, def. ffi} 

[ac] I (C2list y) = I (C2list (istC x y)) 
O {eq. ©} 

[x] Z (C2list y) = / (insert sc (C2list y)) 
O {eq.([I|), properties of 0} 

[x] / (C2list y) = [x] © I © (C2list y) 

A.2 

We prove 

LT2list o (istLT x) = (insert x) o LT2list 

first by calculation, and then using induction. 



paraLTree :: ((LTree a)->b->(LTree a)->b->b)-> ((Maybe a)->b)-> LTree a-> b 
paraLTree f g (Leaf x) = g x 

paraLTree f g (Branch 1 r) = f 1 (paraLTree f g 1) r (paraLTree f g r) 



h = paraLTree f g ho (paraLTree / g) = paraLTree a b 

<S> {unicity-paraLTree} <^ {paraLTree-fusion} 
h o Leaf — g h strict A h o g — b A 

for all I, r, h(f I l' r r') = a I (h I') r (h r') 

h (Branch I r) — f I (h I) r (h r) 

Table 5. The list paramorphism recursion pattern and laws 



Proof by Calculation. It is easy to see that the insertion function istLT cannot be written as a 
fold over trees, since it uses one of the subtrees unchanged (insertion will proceed recursively 
in the other subtree). This is a typical example of a situation where iteration is not suffi- 
cient: primitive recursion is required. This has been studied as the paramorphism recursion 
pattern [5]. The operator in Table embodies this pattern for leaf-trees. The corresponding 
unicity property and fusion law [9] are also shown in the table. 

The function istLT x can now be written as the following paramorphism of leaf trees 

istLT x = paraLTree / g 

where g Nothing = Leaf(Just x) 

g (Just y) = Branch (Leaf(Just x)) (Leaf(Just y)) 
f I I' r r' = Branch r' I 

We use the following strategy: we apply fusion to prove the left-hand side of the equality 
equivalent to a new paramorphism; subsequently we prove by unicity that the right-hand side 
of the equality is also equivalent to this paramorphism. 

LT2ist o (istLT x) = paraLTree a b 
44> {def. of istLT paramorphism} 

LT2list o (paraLTree f g) = paraLTree a b 
•<= {paraLTree-fusion, with LT2list strict} 

f LT2listo2 = b 

\ LT2list(/ IV r r') = al (LT2list I') r (LT2list r') 
44> {r/-expansion, def. f,g} 

LT2list (Leaf(Just x)) = b Nothing 

LT2list (Branch (Leaf(Just x)) (Leaf(Just y))) = b (Just y) 
LT2list (Branch r' I) = a I (LT2list /') r (LT2list r') 
{def. LT2list} 
[x] = b Nothing 
[x] Q[y} = b (Just y) 

(LT2list r') (LT2list I) = a I (LT2list V) r (LT2list r') 



We are thus led to define 



b Nothing = [x] 

b (Just y) = [x] [y] 

all" r r" = r" (LT2list I) 



It remains to prove (insert x) o LT2list = paraLTree a b. Again we proceed by using fusion; 
the trick is now to write the fold LT2list as a paramorphism (this is always possible since it 
is a particular case). 

(insert x) o LT2list = paraLTree a b 

-£4> {unicity-paraLTree, with (insert x) strict} 
J (insert x) o LT2list o Leaf = b 

\ (insert x) (LT2list (Branch I r)) = a I (insert x (LT2list I)) r (insert x (LT2list r)) 
^ {def. of LT2list} 
J (insert x) o g = b 

\ insert x (/ I (LT2list I) r (LT2list r)) = a I (insert x (LT2list I)) r (insert x (LT2list r)) 

where 

g Nothing = [ ] 
9 (Just y) = [y] 
f 1 1' r r' = V Or' 
{?]-expansion, def. of /, g, a, b} 
insert x [ ] = [x] 
insert x [y] = [x] [y] 

insert x (LT2list I LT2list r) = (insert x (LT2list r)) (LT2list i) 
44> {(HJ and properties of 0} 

f H = N 

< [x] [y] = N [y] 

k [xj © (LT2list (LT2list r) = [x] (LT2list Z) (LT2list r) 

Proof by Induction. 

1. c = Leaf Nothing 

LT2list (istLT x (Leaf Nothing)) = insert x (LT2list (Leaf Nothing)) 

{def. istLT, LT2list} 
LT2list (Leaf (Just x)) = insert x [ | 
44> {def. LT2list, insert} 

[x] = [x] 

2. c = Leaf (Just y) 

LT2list (istLT x (Leaf (Just y))) = insert x (LT2list (Leaf (Just y))) 
{def. istLT, LT2list} 

LT2list (Branch (Leaf (Just x)) (Leaf (Just y))) = insert x [y] 
44> {def. LT2list, Spec, theorem} 

(LT2list (Leaf (Just x))) (LT2list (Leaf (Just y))) = (wrap x) [y] 
<^ {def. LT2list, wrap} 

[x] [y] = [x] [y] 



3. c = Branch I r 



LT2list (istLT x (Branch / r)) = insert x (LT2list (Branch / r)) 
^ {def. istLT, LT2list} 

LT2list (Branch (istLT x r) I) = insert x ((LT2list /) (LT2list r)) 
44> {def. LT2list, Spec, theorem} 

(LT2list (istLT x r)) (LT2list I) = (wrap x) ((LT2list /) (LT2list r)) 
^ {induction, commut. 0} 

(insert x (LT2list r)) (LT2list /) = (wrap x) ((LT2list r) (LT2list I)) 
44> {Spec, theorem, assoc. 0} 

(wrap x) (LT2list r) (LT2list /) = (wrap x) (LT2list r) (LT2list /) 



B Tree Invariants 



In order to prove certain equalities, it is convenient to introduce a notion of invariant that 
captures properties satisfied by the intermediate structures. These invariants are defined struc- 
turally on the data types. 

For every predicate p : A — > Bool, we consider the following inductive predicates: 

(AULp []) 

Vx, xs.(p x) A (All L p xs) =4> (All L p (x : xs)) 
(AIIT p Empty) 

Vx, Z, r.(p x) A (AIIT p I) A (AIIT p r) (AIIT p (Node x I r) 

(BST Empty) 

Vx,Z,r.(ANT (< x) Z) A (AIIT (> x) r) A (BST Z) A (BST r) 4 (BST (Node x I r)) 

(HEAP Empty) 

Vx,/,r.(AIIT (> x) /) A (AIIT (> x) r) A (HEAP Z) A (HEAP r) 4 (HEAP (Node x I r)) 
Let us start stating some simple properties concerning lists and trees. 
Lemma 1. For every values x,y and lists I1.I2, we have: 

1. x <y=> insert x (Zi -H-[y] -H-Z2) = (insert x Zi) +f [y] 4-H 2 

2. (AIIL (< x) Zi) ^> insert x (Zi +f Z 2 ) = Zi +f (insert x Z 2 ) 
5. (Vx.p 1491)4 AIIL p h=> AIIL g Zi 

4. (AIIL p (Zi -H-Za)) 4 (AIIL p Z x ) A (AIIL p Z 2 ) 

5. (AIIL (< x) Zi) 4 insert x l\ = x : l\ 

Proof. Simple induction on l±. 

Lemma 2. For every tree t and value x, 

1. (AIIT pt) 4 (AIIL p (BST2list t)) 

2. (AIIT pt)=> (AIIL p (H2list t)) 

5. (p x) A (AIIT p i) (AIIT p (istBST x t) 
^. (p x) A (AIIT pt)=> (AIIT p (istH x t) 

Proof. Induction on t. 

We are now able to prove the required properties. For heapsort, we explore the fact that 
the intermediate structure is a heap (its root keeps the least element). 

For the heapsort algorithm, we explore the fact that the intermediate tree is a heap. 

Proposition 8. 

(HEAP t) 4 insert x (H2list t) = H2list (istH t) 



Proof. By induction on the structure of t. The base case follows immediately from the defi- 
nitions. For the induction step we have: 



insert x (H2list (Node y I r)) 
= {def. H2list} 

insert x (y : (H2list I) (H2list r)) 
= {def. insert} 

fx : y : ((H2list I) (H2list r)) if x < y, 

|y : (insert x ((H2list I) (H2list r))) if x > y, 
= {lemma [H (5)} 

fx : (insert y ((H2list /) (H2list r))) if x < y, 

[y : (insert x ((H2list /) (H2list r))) if x > y, 
= {commutativity and associativity of 0} 

fx : (([y] (H2list r)) (H2list /)) if x < y, 

\y : (([x] (H2list r)) (H2list I)) if x > y, 
= {induction hypotheses} 

fx : ((H2list (istH y I)) (H2list r)) if x < y, 

[y : ((H2list (istH x I)) (H2list r)) if x > y, 
= {def. H2list} 

{H2list (Node x (istH y I) r) if x < y, 
H2list (Node y (istH x /) r) if x > y, 
= {def. istH} 

H2list (istH x (Node y / r) 

To prove that the intermediate tree is actually a heap, we prove that insertion of elements 
preserves the invariant. 

Proposition 9. For every value x and tree t, 

(HEAP t) (HEAP (istH x t))). 

Proof. Induction on t. The base case follows immediately from the definitions. For the induc- 
tion step we have: 

(HEAP (istH x (Node y I r))) 
& {def. istH} 

f (HEAP (Node x (istH y r) I)) if x < y, 
| (HEAP (Node y (istH x r) I)) if x > y, 

In fact, when x < y we have: 

(ANT (> x) (istH y /)) by lemma EI (2) and (HEAP (Node y I r)) 

(ANT (> x) r) by (HEAP (Node y I r)) 

(HEAP (istH x r)) by induction hypotheses and (HEAP (Node y / r)) 

(HEAP by (HEAP (Node y / r)) 

We reason similarly when x > y. 



And now, the required result follows directly by induction. 
Corollary 1. For every list I, 

(HEAP (buildH 0) 

Proof. Simple induction on I. 

For the quicksort algorithm, we explore the fact that the intermediate tree is a binary 
search tree. 

Proposition 10. For every value x and tree t, 

(BST t) insert x (BST2list t) = BST2list (istBST t) 

Proof. By induction on the structure of t. The base case follows immediately from the defi- 
nitions. For the induction step we have: 

insert x (BST2list (Node y I r)) 
= {def. BST2list} 

insert x ((BST2list I) -H-[y] -H-(BST2list r)) 
= {lemma [U (1,2), [2] (1) and hypotheses (BST (Node y I r))} 

J (insert x (BST2list I)) -\+[y] -H-(BST2list r) if x < y, 

\ (BST2list I) -H-[y] -H-(insert x (BST2list r)) if x > y, 
= {induction hypotheses} 

J (BST2list (istBST x I)) -\+[y] ^(BST2list r) if x < y, 

\ (BST2list I) -H-[y] ^(BST2list (istBST x r)) if x > y, 
= {def. BST2list} 

fBST2list (Node y (istBST x I) r) if x < y, 

[BST2list (Node y I (istBST x r)) if x > y. 
= {def. istBST} 

BST2list (istBST x (Node y I r)) 

Again, we note that the insertion function preserves the invariant. 

Proposition 11. For every value x and tree t, 

(BST t) (BST (istBST x t))). 

Proof. Induction on t. The base case follows immediately from the definitions. For the induc- 
tion step we have: 

(BST (istBST x (Node y I r))) 
^ {def. istBST} 

J (BST (Node y (istBST x I) r)) if x < y, 
| (BST (Node y I (istBST x r))) if x > y, 
In fact, when x < y we have: 

(ANT (< y) (istBST x I)) by lemma[2] (2) 

(ANT (> y) r) by (BST (Node y I r)) 

(BST (istBST x I)) by induction hypotheses and (BST (Node y I r)) 

(BST r) by (BST (Node y I r)) 

We reason similarly when x > y. 



And the required result follows directly by induction. 
Corollary 2. For every list I, 

(BST (buildBST /)) 

Proof. Simple induction on I. 



C Alternative Derivation 

In this appendix we present a slight variation on the strategy for deriving the sorting algo- 
rithms. This variation clarifies the role of the invariants on intermediate structures in the 
correctness argument of these algorithms. 

When we compare the proof effort required to establish the correctness of the "sorting 
by insertion" algorithms, we note that there is significant difference between isortLT and the 
other two algorithms (isortH and isortBST). As explained in the main text, this is because the 
correctness for the last two algorithms depend on properties of the intermediate structure. 
However, we can explain that difference at a more abstract level — one might argue that 
isortLT is closer to the specification of a generic insertion sort presented at Section 01 To 
illustrate this point, let us recall the definition of these algorithms (we omit the definitions 
not relevant for this discussion): 



isortLT 
isortH 
isortBST 
LT2list 



H2list 
BST2list 



LT2listo buildLT 
H2listo buildH 
BST2listo buildBST 
foldLTree (0) t 

where t Nothing = [ 
t (Just x) = \ 
foldr aux [] 
where aux x I r = x 
foldBTree aux [ 

where a ux x I r = I - 



(iQr) 
-f(x : r) 



We observe that LT2list uses only to construct (non trivial) lists. On the other side, H2list 
and BST2list make use of other functions (namely (:) and (-H-)). That distinction makes the 
later two sensible to the ordering attributes of the intermediate tree. 

Let us make one step back and define the following variants of isortH and isortBST algo- 
rithms: 

isortH' = BT2listo buildH 
isortBST' = BT2list o buildBST 
BT2list = foldr aux [] 

where aux x I r = [x] (I r) 

Now, the conversion of binary trees into lists (BT2list) does not assume any ordering constrains 
on these trees. In fact, BT2list and LT2list should be read as two instances of the same polytypic 
function. 

It is interesting to verify that, for these modified functions, the correctness argument is 
essentially the same as for isortLT. 



Proposition 12. isortH' and isortBST' are sort algorithms. 



Proof. We instantiate eqs. (|3|) and (j3J) for both functions. We set e = Empty, and thus eq. ([5]) 
results directly from the definition. For eq. (jSJ), we need to prove that for every binary tree t 



and value x, 



(BT2list o (istH x)) t = ((insert x) o BT2list) t 
(BT2listo (istBST x)) t = ((insert x) o BT2list) t 



These are proved by induction on the structure of t. We show the proof of the first one (the 
second is similar). The base case is trivial. For the induction step we have: 

BT2list(istH x (Node y I r)) 
= {def. istH} 

J (BT2list(Node x (istH y r) I)) if x < y, 

|(BT2list(Node y (istH x r) I)) if x > y, 
= {def. BT2list} 

J [x] ((BT2list (istH y r)) (BT2list I)) iix<y, 

[ [y] ((BT2list (istH x r)) (BT2list I)) itx>y, 
= {induction hypotheses} 

f N © i([y] © (BT2list r)) (BT2list I)) ifx<y, 

\[y] ((M (BT2list r)) (BT2list I)) 
= {comutativity and associativity of 0} 

[x] {[y] ((BT2list /) (BT2list r))) 
= {def. BT2list} 

[x] (BT2list (Node y I r)) 

In order to refine isortH' and isortBST' to heap sort and quicksort, we should now proceed 
in two independent paths: 

— to show that the construction of the intermediate tree can be performed co-inductively 
(i.e. buildH and buildBST are equal to unfoldhsort and unfoldqsort respectively); 

— to show that the tree conversion into the resultant list can be simplified to their standard 
formulation (i.e. BT2list can be replaced by H2list for the heapsort and by BST2list for 
the quicksort). 

The first point was performed in the main text (c.f. Propositions [5] and [7]) . The second is 
the one that should consider the ordering properties induced by the building process for each 
case — more precisely, one proves: 

BT2list o buildH = H2list o buildH 
BT2list o buildBST = BST2list o buildBST 

As in appendix [Bj it is convenient to make explicit the structural invariants possessed by the 
intermediate structures in each case. That is, 

(HEAP t) BT2list t = H2list t 

(BST t) BT2list t = BST2list t 



The proof require a simple lemma relating with ordering predicates. 



Lemma 3. For every 



1. (AIIL (x <) l\) [x]Qh = x:h 

2. (AIIL (x >) h) =>- Ii0(i: l 2 ) = h +\-(x : h) 

3. (AIIL p l{) A (AIIL p l 2 ) =^ (AIIL p (h l 2 )) 

Proof. The first two are proved by simple induction on the structure of l\. The third by 
mutual induction on l\ and l 2 . 

Now, the required properties follow by simple induction. The base case is, in both cases, 
trivial. For the induction step, we have for H2list: 

BT2list (Node x I r)) 
= {def. BT2list} 

[x] ((BT2list I) (BT2list r)) 
= {induction hypotheses} 

[x] ((H2list I) (H2list r)) 
= {def. of H EA P and lemma H ( 1 ,3) } 

x : ((H2list I) © (H2list r)) 
= {def. H2list} 

H2list (Node x I r) 

and for BST2list: 

BT2list (Node x I r)) 
= {def. BT2list} 

[x] ((BT2list /) (BT2list r)) 
= {induction hypotheses} 

[x] ((BST2list I) (BST2list r)) 
= {commutativity and associativity of 0} 

(BST2list I) ([a;] (BST2list r)) 
= {def. of BST and lemma [3] (1,2)} 

(BST2list /) (x : (BST2list r)) 
= {def. BST2list} 

BST2list (Node x I r) 



